Share this story

Pity the poor credit card. In these days of smartphones, tablets, and sharks with frickin' laser beams attached to their heads, they just seem so retro.

But they're getting a makeover. In Singapore, MasterCard has unveiled a credit card to be released in January 2013 that includes "an embedded LCD display and touch-sensitive buttons," the company said this week. Eventually, this card might use its display to show "real time information such as available credit balance, loyalty or reward points, recent transactions, and other interactive information." But for now, the technology will be used to generate one-time passwords as an extra security measure.

"The MasterCard Display Card, manufactured by NagraID Security, looks and functions almost exactly like a regular credit, debit or ATM card, but features an embedded LCD display and touch-sensitive buttons which allow a cardholder to generate a One-Time Password (OTP) as an authentication security measure," MasterCard said. "From January 2013 onwards, all Standard Chartered Online Banking or Breeze Mobile Banking users will use the Standard Chartered security token card as a new personal security device for higher-risk transactions such as payments or transfers above a certain amount, adding third party payees, or changing personal details."

The idea isn't a new one. It's not even MasterCard's first attempt. The company actually unveiled very similar cards in June 2010 for use in Turkey, and they have been rolled out to other countries such as Romania. Visa launched almost identical cards in Europe last year, and a company called Dynamics showed off some newfangled credit cards with displays at this year's Consumer Electronics Show. MasterCard touts the cards as a way to demand extra tokens from customers without making credit cards a hassle to use.

Stealing and using credit card data is far too easy, so adding two-factor authentication technology into the cards themselves strikes us as a good idea. But even without newfangled cards, the process of how we pay for stuff is getting an overhaul, albeit a slow one. NFC chips, Apple's Passbook, and Google Wallet are among the options for higher-tech ways to pay. The ubiquity of smartphones may make it more likely that phone-based systems will outpace the adoption of new types of credit cards, especially as these display cards have been around a couple of years without spreading worldwide. But most of us are still using regular old credit cards—and if our next credit cards embed some modern technology to make them more secure, so much the better.

47 Reader Comments

Does this mean we will have to remember to put our credit cards on the charger at night too? I can see this type of card working well at home for online transactions, but I don't see it surviving in a wallet for long periods of time. I haven't found any durability or maintenance info on the card yet though.

The one advantage to standard cards is they are totally passive, just don't scratch them up too much or set them on a large magnet and they work, versus standing in line at the checkout only to realize your phone has died and now you can't pay.

Does this mean we will have to remember to put our credit cards on the charger at night too? I can see this type of card working well at home for online transactions, but I don't see it surviving in a wallet for long periods of time. I haven't found any durability or maintenance info on the card yet though.

The one advantage to standard cards is they are totally passive, just don't scratch them up too much or set them on a large magnet and they work, versus standing in line at the checkout only to realize your phone has died and now you can't pay.

Why would you have problems with charging? If it's passive and powered by an induction coil or similar methods, charging it would be nothing, or pointless. RSA SecurID tokens do not require recharging, they are low-power enough that they survive with a basic battery for many months, if not years.

Standard cards have the same suceptibility to magnetic fields that other devices do, since the strip is magnetic data. And there's a lot of data on there. Depending upon if you're using track 1 or track 2.

I don't know about you, but when I go and make a large purchase in-person (as opposed to doing it online) I make sure that I have funds available and any methods of verification (such as phone or SMS) are available and working.

Does this mean we will have to remember to put our credit cards on the charger at night too? I can see this type of card working well at home for online transactions, but I don't see it surviving in a wallet for long periods of time. I haven't found any durability or maintenance info on the card yet though.

The one advantage to standard cards is they are totally passive, just don't scratch them up too much or set them on a large magnet and they work, versus standing in line at the checkout only to realize your phone has died and now you can't pay.

We have company MasterCards with LCD displays on them, never seen one die. Adding input options will be a further drain, but battery tech evolves pretty quickly, and the LCD displays have already been around for a couple years without apparent issue.

but features an embedded LCD display and touch-sensitive buttons which allow a cardholder to generate a One-Time Password (OTP) as an authentication security measure

How does this work? Is it similar to RSA's solution where you combine a pin with a time based number generator to authenticate? Given that RSA itself was hacked and had to reissue 40 million authenticators, I'm willing to say this is safer but not foolproof.

Does this mean we will have to remember to put our credit cards on the charger at night too? I can see this type of card working well at home for online transactions, but I don't see it surviving in a wallet for long periods of time. I haven't found any durability or maintenance info on the card yet though.

The Visa CodeSure card uses an e-ink display and the battery life of it is measured in years.

In short, you'll get sent a new card from your card issuer way before the battery will die.

Online transactions already have a 2-factor identification system with the CVV code, so this would really only be useful for in-store transactions.

CVV/2 is not a two-factor authentication. It's single-factor. It might appear as two-factor since you have to enter it to confirm some things, but that's because of PCI:DSS standards that require merchants to NOT store that piece of information. CVV/2 data is typically stored on the magnetic stripe and is easily readable by any card reader.

issor wrote:

I like this, but I worry about going to pay for something and having a broken card or LCD. Almost as bad as needing cell signal to make an NFC purchase with cards stored on your phone.

If you need a cell signal to make a NFC payment, your NFC technology is not up to standard. The NFC mechanism itself is nothing more than a radio, and reads from a secure element within the phone that stores information in a secure format. The only one that needs connectivity is the NFC reader, and even if they don't have connectivity, the transactions are stored for bulk processing at a later time (as are most card transactions for smaller merchants).

Online transactions already have a 2-factor identification system with the CVV code, so this would really only be useful for in-store transactions.

CVV/2 is not a two-factor authentication. It's single-factor. It might appear as two-factor since you have to enter it to confirm some things, but that's because of PCI:DSS standards that require merchants to NOT store that piece of information. CVV/2 data is typically stored on the magnetic stripe and is easily readable by any card reader.

If you want to make CVV/2 more secure, then there are cards which support Dynamic CVV - essentially a new CVV/2 number is generated every minute in a similar way to the RSA tokens.

At payment, the CVV/2 is passed from the merchant to the issuer (via the processor) who can validate that the number is correct before authenticating the transaction.

Downside is that the costs of the cards are significantly more expensive and you need a server attached to your authentication platform to validate the dynamic CVVs.

Does this mean we will have to remember to put our credit cards on the charger at night too? I can see this type of card working well at home for online transactions, but I don't see it surviving in a wallet for long periods of time. I haven't found any durability or maintenance info on the card yet though.

The Visa CodeSure card uses an e-ink display and the battery life of it is measured in years.

In short, you'll get sent a new card from your card issuer way before the battery will die.

Well aside from the difficulty reading in low light, the blind wouldn't be able to use these new features.

Most of the US hasn't even adopted chip cards yet, despite being an ancient technology already. So fat chance seeing this being brought stateside.

Are you referring to the chip cards which people would literally hole punch the chips out to avoid walk-by or ranged (granted not much) card skimming?

yeah, i'd love to hole-punch the "Blink" chip out of my card... except that i'd also remove part of the magstripe in the process. i can see the bulge of the rfid chip on the front face of my card. wonder if you can smash it the way some folks do to the rfid in their passport... (i don't have a passport)

If you want to make CVV/2 more secure, then there are cards which support Dynamic CVV - essentially a new CVV/2 number is generated every minute in a similar way to the RSA tokens.

At payment, the CVV/2 is passed from the merchant to the issuer (via the processor) who can validate that the number is correct before authenticating the transaction.

Downside is that the costs of the cards are significantly more expensive and you need a server attached to your authentication platform to validate the dynamic CVVs.

That's a great idea, but some banks have used the proliferation of mobile devices to cut some of the cost and enhance the security by distributing a mobile application to the device that's used to generate a one-time passphrase, or simply send an SMS to the device with the OTP as a method of two-factor auth.

There are all kinds of solutions to the problem, but the problem is regulation and the slow adoption of technology by the banking industries (whether due to regulation, greed, or some other factor).

Online transactions already have a 2-factor identification system with the CVV code, so this would really only be useful for in-store transactions.

So we're now taking an efficient, reliable, and speedy payment method and "upgrading" it by including a verification system that will inevitably make credit card transactions as slow as cash?

"Uh, hold on just one... no not 6, you stupid thing, 5! Where's the backspace? Oh, great, it cleared the whole code. What do you mean "LOCKED??" Okay, let me restart the card."

Payment Systems upgrades are improved on three factors: speed, security, reliability. This will tremendously detract from the first and third while providing only marginal benefit to the middle.

yeah, in the last decade I think I've seen the trend going to other way in favor of speed. I feel like the only time I have to sign a paper slip anymore is with small local businesses. Everything else is QPS, touchscreen pad or 4-button PIN keypress. I don't want the people in front of me tin line to have to look up information

Read the article, this is used as 2FA for online banking logins. Singapore requires banks providing online banking to implement 2FA as well. This is nice because it'll force customers to carry the card around, probably increasing card usage over competitors. Or it'll save customers from carry two (2FA device and card) around.

There are three reasons why this technology--or traditional smart cards for that matter--will never be adopted in the US:

First, the cards are more expensive. Traditional magnetic stripe cards cost financial institutions less than $1 delivered into the hands of the consumer. Smart cards are several times more expensive than that and, contrary to some expectations, typically don't last any longer than their magnetic stripe ancestors: the chip is brittle and fragile and the typical wallet is a hostile environment from the perspective of bending moment.

Second, fraud is a profit center for card issuers. The cost of the fraud is marked up and sold to the merchants in the form of a percentage of sales (ironically called the "discount rate") in trade for guaranteed payment

Taken together, these two factors are downright synergistic. Increase the cost of maintaining your card base fourfold while deliverling less fraud which the merchants will realize they should be paying lower rates for? What a deal!

The third reason is that other distruptive technologies are on the near horizon. Smart cards are destined to be "about to happen" right up to the point that they're obsolete.

Read the article, this is used as 2FA for online banking logins. Singapore requires banks providing online banking to implement 2FA as well. This is nice because it'll force customers to carry the card around, probably increasing card usage over competitors. Or it'll save customers from carry two (2FA device and card) around.

The future applications part is nice, but probably wouldn't happen.

I really wish there were a 2FA solution that was widely accepted by financial institutions and online merchants. I don't even care what it is, although I'm picturing something like YubiKey. People who want the added security could buy the device for, say, $50, and then use it to strengthen their authentication to all kinds of sites like the banks, credit card companies' web sites, Amazon, eBay - wherever you exchange financial information that's at risk of theft.

The rest of my fantasy is that if a user chose to use the 2FA solution at his/her own expense, the institution or merchant would indemnify them against fraud. For those who opt out, if their password gets compromised, it's their own problem.

These new MC and VISA cards are nice, and will improve the state-of-affairs of "card not present" security very substantially. However, they are still much more vulnerable to certain man-in-the-middle (MITM) plus social-engineering tricks, than they need to be.

— Integrating this system into the card will make MITM/ social-engineering attacks (perhaps the main weakness of this new system) ergonomically MUCH harder to pull off! The marginal costs of doing this would be minimal.

DISCLOSURE: While I have no financial interest in PassWindow, I have spent a lot of time talking to its developers (trying to pick holes in their system), to the extent that they are becoming my friends. I have recently co-authored (heavily edited) a commercial white-paper on their product... So I could be said to have a little time and reputation invested in this product now.

There are three reasons why this technology--or traditional smart cards for that matter--will never be adopted in the US:

First, the cards are more expensive. Traditional magnetic stripe cards cost financial institutions less than $1 delivered into the hands of the consumer. Smart cards are several times more expensive than that and, contrary to some expectations, typically don't last any longer than their magnetic stripe ancestors: the chip is brittle and fragile and the typical wallet is a hostile environment from the perspective of bending moment.

I don't know — I live in Britain (I'm guessing you're American, and are yet to experience much of chip-and-pin). I've had problems with magnetic stripes, even on some relatively new cards (perhaps on cheap cards, where the magnetism is too easily overwritten/ erased while being heated in my pocket etc). But I've hardly had any problems with chip & pin cards (except the ones I use every day, after a couple of years, where the card is one of the cheaper ones and I actually wore out the contact surface — my bank is replacing them with more durable ones)... "the chip is brittle and fragile" — I've never found this. The chips inside my bank cards take a big, sharp pair of scissors to snip them up, at the end of the card's life. Other than that, I can stomp on the card all I want, and the chip is unaffected. This is one of the great strengths of small objects (they're often very durable), especially when they're comparatively hard, slightly flexible and encased in a thicker piece of plastic...

john_r_graham wrote:

Second, fraud is a profit center for card issuers. The cost of the fraud is marked up and sold to the merchants in the form of a percentage of sales (ironically called the "discount rate") in trade for guaranteed payment

Taken together, these two factors are downright synergistic. Increase the cost of maintaining your card base fourfold while deliverling less fraud which the merchants will realize they should be paying lower rates for? What a deal!

It may be a profit-centre for some of THEM (the suppliers of banks); but it's not for me. If I had a choice between two banks (one offering chip and pin card, and the other not); the bank offering the chip based card would command a $20–$40 premium per year for me, because I'd feel much safer with chip-and-pin. Besides which, even for card issuers, selling a lesser quantity of a more expensive card design can be a profitable business strategy, especially if the contract shares the economies effectively, as any good contract should do...

john_r_graham wrote:

The third reason is that other distruptive technologies are on the near horizon. Smart cards are destined to be "about to happen" right up to the point that they're obsolete.

Like what? NFC??? I'm not totally comfortable with that yet, because there are security issues that may need to be ironed out — go and read, for example, about London's Oyster travel payment cards, which use basically similar technology:http://en.wikipedia.org/wiki/Oyster_car ... ity_issuesThere's simply nothing on the market at the moment (already deployed) with the same profile of convenience and security, as chip-and-pin (if I'm wrong about that, please let me know!)I think you're just in a state of denial about the state of the US market, in terms of how far behind/ahead they are with technology (I'm actually seriously wondering whether North Korea or parts of Africa have a greater relative penetration of chip-and-pin cards/terminals than the USA does — let's not even talk about South Korea). Unless of course, the USA is about to come from behind and overtake the rest of the world with payment card technology (in the same way they clearly have done with broadband internet services), while the rest of us languish on this old generation of technology that the USA wisely skipped over???

State of denial? Well, maybe, but I don't think so. The US has a technology that could prevent most of the fraud without smart cards: it's called PIN on credit. It uses the same infrastructure and networks as the PIN-based debit and has the advantage that most points of sale already have the equipment. The reason we don't do it is that the card issuers don't want it.

1) How are we supposed to dispose of the cards? Currently, when I get shipped a new card, I sherd the old one. I don't imagine shredding is going to be much of an option with these. I might send the old one back to the bank, but I am not going to trust a third party with it.

2) In the long run, I wonder if this could be the underpinning to deploying the single card concept more effectively - when you want to make a purchase, you select the card that you want to use and enter your pin and (for the time being) it updates the magstrip information on the fly - it could even have a default that you don't need to unlock for your common transactions. If someone like Google offered it, it could even accomodate different issuers. I don't know exactly what information is transmitted in the transaction, but there could be a change in some integer that would let them know who to pass the transaction to. But, I'm rambling.

You could probably make a secure payment system with one of these. Place card into chip enabled machine, total price displays on screen, hit sign, price is locked in, enter pin (or whatever) on card and hit OK, wait for transaction to complete and you're done.

Unlike the current chip and pin, you don't have to enter your pin on a device you don't control, and you don't have to trust a device you don't control to tell you the correct amount of the transaction. You would need new credit card readers though, all of the chip and pin readers I've seen would obscure some of the buttons with the design shown. Also, a 6-digit 7-segment display is a bit limiting: they don't have a decimal indicator, and unless you use a numeric code, there's no way to know what currency the price would be in, so you would have to trust the merchant on that.